Aave governance is weighing a protocol-wide risk framework that would apply to every asset on Aave V3, V4, and Aave Horizon, with founder Stani Kulechov saying assets that don’t qualify for the new standard will be removed. A companion proposal would shift the Pendle PT risk oracle to a protocol-owned infrastructure built on the Chainlink Runtime Environment.
Risk services provider LlamaRisk posted both Aave Request for Comments proposals to the Aave governance forum on Tuesday. The broader framework, published Tuesday morning, includes four layers of risk: asset risk, bridging risk, monitoring and automated risk oracle systems, and chain risk.
“After approval of the proposal, the risk framework will be applied to all markets and assets,” Kulechov wrote on X on Tuesday morning. “Activities that do not qualify for the new standard will be removed from Aave in the coming weeks.”
The proposals are Aave’s first concrete structural governance response to the KelpDAO LayerZero exploit in April, in which attackers emptied 116,500 rsETH, collateralized it on Aave’s Ethereum and Arbitrum markets, and directly borrowed $193 million from the protocol. The total collateral posted by the attacker was $221.39 million, according to LlamaRisk’s April 20 incident report. A May LayerZero incident report published by The Defiant found that the bridge had been downgraded from a 2-of-2 to a 1-of-1 DVN configuration before the exploit.
The four-layer framework
The framework controls Aave V3, V4 and Aave Horizon. It applies to asset onboarding, quarterly due diligence renewals, and any subsequent parameter or depreciation decision.
Tier 1 covers asset risk, which requires audit coverage, active bug bounty programs, sufficient liquidation liquidity, timely time slots, and operational disclosure from the issuer. Hard-block conditions include missing or materially weak bug bounty programs, undisclosed signer composition, and refusal to make the operational stack public. A hard block stops onboarding completely; for already listed assets this leads to an immediate assessment of exposure levels.
Layer 2 focuses on bridging risk, setting a binding lower limit on verifier-set thresholds for all assets crossing chains. The requirement is vendor-independent: it applies regardless of which bridge stack the publisher uses. An asset whose bridge configuration falls short on a particular mandatory item will have an enhanced layer of exposure, including lower loan-to-value ratios and lower supply limits, until the remediation is completed. The rsETH exploit bridged exactly this gap: the Unichain-to-Ethereum route was configured as a 1-to-1 DVN, allowing a spoofed incoming packet to release 116,500 rsETH from the adapter without any corresponding source-side burn.
Layer 3 codifies monitoring and automated risk oracle systems as permanent protocol infrastructure, not optional tooling. Layer 4 focuses on chain risk, establishing evaluation criteria that determine whether Aave is involved in a chain at all and sets a fixed upper limit on the exposure layer of each asset listed in that chain.
Each recommendation generated by the framework has a one-month implementation deadline. Recommendations that are not implemented within a month will automatically convert to hard restrictions on the asset’s exposure layer.
Protocol proprietary to PT Oracle
The companion ARFC proposes to migrate the Pendle PT risk oracle from the current arrangement to protocol-owned infrastructure on the Chainlink Runtime Environment, known as CRE.
The core change is ownership. Under the previous setup, risk managers had writing authority over important oracle parameters with limited controllability in the chain. Aave Governance owned the destination contracts, but not the off-chain system that calculates the input. Under the proposed structure, Aave Governance would own every contract on the path. LlamaRisk only has an Updater role on a new onchain ParameterRegistry, allowing it to tune methodology parameters per asset without a full CRE reimplementation.
LlamaRisk has been manually managing the PT oracle and pushing parameter changes through the Risk Stewards path since Chaos Labs withdrew from Aave’s risk management in April. The administrative forum calls this arrangement “a transition path that was never intended to be permanent”.
Three Chainlink CRE workflows would replace the manual process. The workflows calculate smoothed implicit rates, discount rates and liquidation parameters per E-Mode for each Pendle PT market, with each publishing a signed report that validates a new onchain router. The router writes to the oracle atomically and triggers execution in a single transaction. Every parameter change is recorded in the chain and is independently verifiable.
Certora audits will include both the new contracts and the CRE workflow code. Two of the three new contracts, the LlamaguardRiskOracle and ParameterRegistry, were already monitored by two security teams as part of a previous LlamaGuard NAV implementation. The router is the only component without prior audit coverage.
Arc context
Tuesday’s filings follow two earlier milestones in Aave’s recovery from the April exploit. In May, Aave restored WETH loan-to-value ratios in Ethereum, Arbitrum, Base, Mantle, and Linea as part of the rsETH recovery plan. The same month, LayerZero published its full incident report, which revealed that the bridge had been downgraded from a 2-of-2 to 1-of-1 DVN configuration before the exploit.
Both ARFCs are in the community feedback phase. If they reach consensus in the community, each would move to a snapshot before moving on to an Aave improvement proposal down the chain.